)]}'
{"specs/yoga/allowed-address-pair-match-any-mac-address.rst":[{"author":{"_account_id":9531,"name":"liuyulong","display_name":"LIU Yulong","email":"i@liuyulong.me","username":"LIU-Yulong"},"change_message_id":"0312c59e4c9ab70a52b89b6d47428c8efdacf19e","unresolved":true,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The proposal is to extend \u0027allowed_address_pairs\u0027 attribute for ports so that"},{"line_number":42,"context_line":"its \u0027mac_address\u0027 field accepts a special value \"ANY\" that would disable MAC"},{"line_number":43,"context_line":"anti-spoofing mechanism. IP address enforcement may still continue, based on"},{"line_number":44,"context_line":"the corresponding \u0027ip_address\u0027 field value of the pair."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Having multiple address pairs with \"ANY\" \u0027mac_address\u0027 field value is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"73ee6db6_7264d989","line":43,"range":{"start_line":42,"start_character":65,"end_line":43,"end_character":24},"updated":"2021-11-05 02:09:02.000000000","message":"One more thing, each secrity group driver has flag provides_arp_spoofing_protection\u003dTrue/False to indicate if the driver has the ability to provide anti arp and mac spoofing [1]. If the driver has such function, [2][3] will not be set. Yes, openvswitch secrity group driver has such ability [4]. So for this propsal here, please make sure the firewall drivers have no side effect. It\u0027s better to illustrate the details.\n\n[1] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L331\n[2] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1221\n[3] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L1290\n[4] https://github.com/openstack/neutron/blob/master/neutron/agent/linux/openvswitch_firewall/firewall.py#L538","commit_id":"9e94c82113cb91854e234b60e9623c0ee254b8e5"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"a64eb3d1dc0493e6d3b20215c7127e49f05c19b7","unresolved":false,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"The proposal is to extend \u0027allowed_address_pairs\u0027 attribute for ports so that"},{"line_number":42,"context_line":"its \u0027mac_address\u0027 field accepts a special value \"ANY\" that would disable MAC"},{"line_number":43,"context_line":"anti-spoofing mechanism. IP address enforcement may still continue, based on"},{"line_number":44,"context_line":"the corresponding \u0027ip_address\u0027 field value of the pair."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"Having multiple address pairs with \"ANY\" \u0027mac_address\u0027 field value is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"29864065_41a10b64","line":43,"range":{"start_line":42,"start_character":65,"end_line":43,"end_character":24},"in_reply_to":"73ee6db6_7264d989","updated":"2021-11-29 18:25:44.000000000","message":"Thank you for the comment, it pointed to an aspect that I was not aware of before. I\u0027ve covered this issue in the new patch set. Thanks again!","commit_id":"9e94c82113cb91854e234b60e9623c0ee254b8e5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"055caf8b7b13b4b1c5ccc046ffac9745b77ce270","unresolved":true,"context_lines":[{"line_number":52,"context_line":"need to offload decision to enable the extension to underlying drivers."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Database model for allowed address pairs may need adjustment to accept the new"},{"line_number":55,"context_line":"special value."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Client library may need to be adjusted to support the new special value \"ANY\""},{"line_number":58,"context_line":"for the \u0027mac_address\u0027 field."}],"source_content_type":"text/x-rst","patch_set":1,"id":"67e27257_163ffd5e","line":55,"updated":"2021-11-02 21:06:23.000000000","message":"In DB model Mac_address is just a string https://github.com/openstack/neutron/blob/81f8524527b8fcbfc5d380700b97e72b73bd8cd1/neutron/db/models/allowed_address_pair.py#L24 so it should be fine but API validator https://github.com/openstack/neutron-lib/blob/bb2d701b4ecd62ab270dc98ec29256f639ec01e7/neutron_lib/api/validators/allowedaddresspairs.py#L23 will need to be changed","commit_id":"9e94c82113cb91854e234b60e9623c0ee254b8e5"},{"author":{"_account_id":9656,"name":"Ihar Hrachyshka","email":"ihrachys@redhat.com","username":"ihrachys","status":"Red Hat Networking Systems Engineer"},"change_message_id":"a64eb3d1dc0493e6d3b20215c7127e49f05c19b7","unresolved":false,"context_lines":[{"line_number":52,"context_line":"need to offload decision to enable the extension to underlying drivers."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Database model for allowed address pairs may need adjustment to accept the new"},{"line_number":55,"context_line":"special value."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"Client library may need to be adjusted to support the new special value \"ANY\""},{"line_number":58,"context_line":"for the \u0027mac_address\u0027 field."}],"source_content_type":"text/x-rst","patch_set":1,"id":"fa58f0e7_ebee3f8f","line":55,"in_reply_to":"67e27257_163ffd5e","updated":"2021-11-29 18:25:44.000000000","message":"Thank you, updated.","commit_id":"9e94c82113cb91854e234b60e9623c0ee254b8e5"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"055caf8b7b13b4b1c5ccc046ffac9745b77ce270","unresolved":true,"context_lines":[{"line_number":74,"context_line":"to match against particular IP addresses, this approach would be functionally"},{"line_number":75,"context_line":"identical to this. That said, I think it\u0027s generally better to avoid"},{"line_number":76,"context_line":"introducing new attributes to base resources, and it\u0027s better to keep"},{"line_number":77,"context_line":"anti-spoofing related functionality under the same attribute."},{"line_number":78,"context_line":""},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"References"}],"source_content_type":"text/x-rst","patch_set":1,"id":"09fea8b2_e71c0d1d","line":77,"updated":"2021-11-02 21:06:23.000000000","message":"and also IIRC our discussion about it from drivers meeting, the way how existing and that new attribute woud work may be confusing for end users IMO. So I\u0027m ok with doing it through ANY value as mac address.","commit_id":"9e94c82113cb91854e234b60e9623c0ee254b8e5"}]}
